Why the IRS Isn’t Concerned About the Size of the Equifax Data Breach Is Even Scarier

The Equifax data breach is far from being one of the largest in history, but it certainly opens up the door for the possibility of identity theft, given the nature of the data. The IRS, however, believes that about two-thirds of the affected individuals may have already had their data in the hands of the cyber criminals.

According to data available thus far, about 145 million people were affected by the incident where people had their information exposed, including home addresses, date of birth, Social Security numbers, and driver’s license data. In terms of size, of the number of affected accounts, Equifax doesn’t even touch the magnitude of the Yahoo data breach, where all 3 billion accounts were breached during the 2014 incident. However, the Equifax incident involves information that’s more sensitive in nature and can be used for more nefarious purposes, including identity theft, illegal tax returns, and more elaborate scams. By comparison, the Yahoo data breach involved usernames, badly hashed passwords, and security questions, which can all be used to crack email and other online accounts. There’s also the fact that Equifax made its data breach known in a more timely manner than Yahoo, for which the two or three years that had passed since the data breaches it suffered made the knowledge of the hack obsolete – the hackers had had enough time to do whatever they wanted with the info.

The IRS, however, believes that about 100 million of those affected by the Equifax data breach already had their data stolen by hackers.

“Our estimate is a significant percentage of those taxpayers already had their information in the hands of criminals,” said Commissioner John Koskinen of the situation, a while back.

That is perhaps an even more concerning situation – the IRS knows and estimates that some 100 million American citizens had already had their sensitive data stolen and it does not panic at the thought. The full number of affected citizens in the Equifax data breach amounts to nearly half of the entire population of the United States of America.

In terms of how sensitive this information is, it certainly qualifies for what can be called “grey secrets.” These are the secrets that can be either “white,” rather innocent, or “black” which are more serious, depending on the situation. Grey secrets can be both embarrassing or tragic, depending on who finds out about this particular secret and how they came about it. You don’t mind your family knowing your address, your full name, date of birth and social security number, but you certainly do mind if some stranger has this data and can, let’s say, impersonate you and take out a bank loan in your name, or make a purchase that ends up being yours to pay.

The IRS has a rather good advice for Americans – assume your data has already been stolen and act accordingly. At the same time, this is a rather sad situation to be in – act as if someone, somewhere, already has all your secrets at its fingertips and act accordingly. What does “act accordingly” mean? Do people need to start acting with a certain level of paranoia every time they take a step? Perhaps that’s the point we’ve reached right now.

The IRS, however, seems to be rather happy with the progress it has made in warning citizens of the dangers they’re facing. In fact, the IRS commissioner said that in the past two years, they’ve seen the number of identity theft-related tax returns decline by two thirds.

“The progress we’ve made in protecting taxpayers is especially important when you look at how much sensitive personal information has fallen into the hands of criminals recently. A wide range of private and public-sector organizations have seen their systems compromised. I cannot imagine where the nation’s tax system would be today if we hadn’t started this effort back in 2015,” Koskinen added, referring to the Get Transcript fiasco which ended with some 700,000 US taxpayer accounts accessed and targeted by someone other than the actual taxpayer.

The IRS found that cyber criminals used taxpayer information stolen from one place or another on the Web and accessed the Get Transcript application. When the discovery was made, the IRS decided to halt the feature for about a year before launching it again. In the meantime, however, they started the PR campaign to help citizens know more about the dangers they are in and advising them to be more cautious.

A Good Example

The IRS’ stance on things shows just the attitude the world’s companies need to have – a proactive approach to protecting customers. Management teams need to become more aware of the importance of investing appropriate amounts of money into cybersecurity. We can’t exactly turn the US Government into the poster boy for cybersecurity practices, but its PR stunt did its job of raising awareness, so we should at least give them that.

Corporations allocate 5% of their IT development budget to security, although SANS estimates indicate that’s mostly an average, with many of them putting in even 4% into this sensitive field. The percentage of companies that spend over 25% on cybersecurity is a mere 2.5%. More importantly, however, is that 15% of companies spend less than 3% on cybersecurity.

There are positive signs in the field, indicating that investments in cybersecurity are on the rise, but it’s obvious that it’s not enough by the number of data breaches we hear about so often. In short, once companies see that no matter how much money they put into cybersecurity, the number of attacks doesn’t decrease, they might be less inclined to dedicate even more money, wondering just what the limit is. If hackers are going to break in even after spending millions on cybersecurity, then what’s the point of doing it over and over again?

Well, the answer is simple, and Europeans have found a way to make sure those who deal with citizen data can be held accountable if they suffer a data breach. If a company suffers a data breach and fails to notify authorities in a timely manner, it can receive fines of up to 20 million Euro, or about $23.3 million.

Whatsmore, a company that has suffered a data breach also suffers a drop in credibility among people. In the end, their business will suffer considerably, and the consequences will only be greater as time moves on and people become even more aware of the importance their data has. Everyone wants to keep their secret close to the vest, especially when revealing them could have repercussions on their lives; any company that fails to do that will only have to suffer.

In the future, the attitude the European Union has towards citizens’ data will spread across the world. Hopefully, we will no longer see moves as the one made by US politicians to repeal the single rule that would have allowed citizens to band together to sue Equifax, choosing to protect a corporation, rather than 145 million citizens.

Another hope we all have is that corporations will start taking the necessary steps to protect themselves. If there are no consequences from both law enforcement and the population, however, there’s little chance we will see actual changes taking place.